<aside> 📌 This article provides a detailed exploration of a CI/CD pipeline implemented using Jenkins for a Java web application. Through a sequence of steps, it demonstrates the integration of tools such as Maven, SonarQube, Trivy, Snyk, Docker, ACR, Helm, AKS, and OWASP ZAP. The pipeline ensures quality, security, and efficient deployment.

</aside>

Table of contents

Global Architecture of the pipeline

Create your own architecture using draw.io

Overview

1. Developer makes changes to the application source code.
2. Developer commits the code changes to GitHub.
3. Jenkins will Fetch code from our GitHub repo.
4. Jenkins will Build the project artifact using Maven.
5. Jenkins will Perform Static Application Security Testing (SAST) with SonarQube and pass through the Quality Gate.
6. Jenkins will Perform Software Composition Analysis (SCA) with Snyk.
7. Jenkins will Build a Docker image using our Dockerfile.
8. Jenkins will Perform image scanning using Trivy for vulnerabilities.
9. Jenkins will Upload the Docker image to Azure Container Registry (ACR).
10. Jenkins will Create a Helm chart for Kubernetes deployment.
11. Jenkins will Install the Helm chart in our Azure Kubernetes Service (AKS) cluster.
12. Jenkins will Run Dynamic Application Security Testing (DAST) using OWASP Zed Attack Proxy (ZAP) on our application already deplyed .

Tools used

• Azure Kubernetes Service (AKS): Simplify the deployment, management, and operations of Kubernetes.
• Container Registry: Store and manage container images across all types of Azure deployments.
• Maven : Building our application using pom.xml file .
• SonarQube: It is used for continuous analysis of source code quality by performing analysis on your code to detect duplications, bugs, security vulnerabilities and code smells on programming languages.
• Docker : It is an open source containerization platform.
• Trivy : It is a simple and comprehensive vulnerability and secret scanner for containers and other artifacts. Trivy detects vulnerabilities of OS packages. It also scans Infrastructure as Code(IAC) files such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack. It also scans hard like passwords, API keys and tokens.
• Snyk: is an open-source security platform for finding out vulnerabilities in the source code of an application.
• OWASP ZAP: is an open source web application security scanner
• Helm: is an automation tool that streamlines the creation, packaging, configuration, and deployment of Kubernetes applications

Pre-requisites

Jenkins instance is setup and running

First we should install Jenkins following the officiel documentation (We will install Jenkins on the local machine (Ubuntu 22) and set up Username and Password for login and install the wizard plugins.https://www.jenkins.io/doc/book/installing/linux/

Now we’ll set up the personal acess token that Jenkins will use to interact with our Repository .In GitHub account >Settings>Developer Settings>Personal Access Tokens> Generate New Token

Next, we will copy that Token and go to "Manage Jenkins" > "Manage Credentials" > "Add Credentials" Chose Username and Password and give an ID

Let's proceed with creating our pipeline. In the Jenkins dashboard, click on "Create an item," choose a name for the pipeline, select the pipeline option, and then click "OK.”

In the pipeline section, we'll choose "Pipeline Script from SCM" for the Definition and "Git" for SCM. Paste our GitHub project URL, set Credentials to use our newly created GitHub Credentials, and then click on "Save”.